LDAP-UX Integration B.04.20 Release Notes (June 2009)

RFC 2307, see the section “Configuring for Use with Microsoft Windows Active Directory Server”

before you run setup or migration.

If your user and group data have been migrated to an LDAP directory, you can set up a client

system as described below. If you have not migrated your name service data to an LDAP directory,

refer to LDAP-UX Client Services B.04.15 Administrator’s Guide for complete migration details.

The following shows basic instructions for configuring the LDAP-UX Client Services:

1. When your LDAP directory is configured and contains your name service data, you can run

the setup program and follow the prompts to configure your client:

cd /opt/ldapux/config

./setup

NOTE: At the end of setup, you will be prompted to start/restart ldapclientd. You can

choose not to start it right away. However, you must start the daemon, ldapclientd, for

LDAP-UX functions to work.

For details on running the setup program, refer to LDAP-UX Client Services B.04.15

Administrator’s Guide.

2. Save a copy of /etc/pam.conf and modify the original file to add /usr/lib/security/libpam_ldap.1

on the HP-UX 11i v1 system or libpam_ldap.so.1 on the HP-UX 11i v2 system where it is

appropriate. If your system is in the standard mode, see /etc/pam.ldap for an example. If your

system is in the Trusted Mode, see /etc/pam.ldap.trusted for an example.

NOTE: If you use PAM Kerberos, you must configure PAM Kerberos. On the HP-UX 11i

v1 system, you need to add /usr/lib/security/libpam_kerberos.1 to /etc/pam.conf where it is

appropriate. On the HP-UX 11i v2 system, you need to add libpam_kerberos.so.1 to /etc/pam.conf

where it is appropriate. If your system is in the Trusted Mode, see LDAP-UX Client Services

B.04.15 with Microsoft Windows Active Directory Server Administrator’s Guide for the detailed

configuration. You are able to find the Configuration Guide for Kerberos product available

at http://docs.hp.com.

3. Save a copy of /etc/nsswitch.conf file and modify the original to add ldap to support name

services. See /etc/nsswitch.ldap for an example.

4. Test your setup with a pwget (1) command and grget (1) command to ensure that the

client is reading the name services information from the LDAP directory.

5. If you use netgroup to control access to your hosts, you may wish to install and configure

pam_authz. See the pam_authz (5) man page for more details.

For more information on testing, troubleshooting, and shortcuts to configure additional

clients, refer to LDAP-UX Client Services B.04.15 Administrator’s Guide.

Configuring for Use with Microsoft Windows Active Directory Server

The LDAP-UX Client Services provides default attributes and search descriptor settings to work

with Microsoft Windows Services for UNIX 3.0 or 3.5 (SFU 3.0/SFU3.5) when working with the

Windows 2003/2003 R2/2008 Active Directory Server.

Windows 2003 R2/2008 Active Directory Server provides the ADS 2003 R2’s RFC2307 schema

which is compliant with the IETF RFC2307 standard.

If you use SFU 2.0 with Microsoft Windows 2003 ADS, you must run setup to select SFU 2.0

before running migration. Alternately, you can manually re-link the attribute configuration file

to SFU 2.0 before running migration. Use the following command to switch to SFU 2.0:

ln -fs /etc/opt/ldapux/default_profile_attr_ads_sfu2.ldif \

/etc/opt/ldapux/default_profile_attr_ads.ldif

20 LDAP-UX Client Services